REALLY simple login?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

REALLY simple login?

Post by m0u53m4t »

I want a really simple login thing, that, all it does is say, the file logfile.txt cant be accessed unless you login. I dont even care if the password is in the code!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Okay, so you have a simple goal.

What have you figured out so far?
User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

Post by m0u53m4t »

...That php is confusing :lol: All I want is for someone not to be able to access logfile.txt without having started a session. Can you reconmend a site to start learning php from so I can start on this code please?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Code: Select all

$username = 'John';
$password = 'password';

if ($username == 'John' && $password == 'password') {
   //display text file
}
else {
   echo 'You must login to view logfile.txt';
}
Theres a start, now you have to work on getting information from forms to grab the username and variable from the form value instead of hardcoding it within the script.. have a look at http://ca3.php.net/manual/en/tutorial.forms.php
User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

Post by m0u53m4t »

So if I have a form like this:

Code: Select all

<html>
	<form action="loginhandler.php" method="get">
		<input type="text" name="username" size="24">
		<p><input type="password" name="password" size="24"></p>
		<p><input type="submit"></p>
	</form>
</html>
and a php code like this:

Code: Select all

<?php
if ($username == 'John' && $password == 'password') {
   //display text file
}
else {

   echo 'You must login to view logfile.txt';
}
?>
Im getting the error "You must login to view logfile.txt" everytime...
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

How about a form like this:

Code: Select all

<html>
    <span style="color:red"><?php echo $errmsg; ?></span>
	<form action="loginhandler.php" method="post">
		<input type="hidden" name="submitted" value="yes">
		<p><input type="text" name="username" size="24"></p>
		<p><input type="password" name="password" size="24"></p>
		<p><input type="submit"></p>
	</form>
</html>
and PHP code like this (not tested):

Code: Select all

<?php
$submitted = preg_replace('/[^a-zA-Z]/', '', $_POST['submitted']);

$errmsg = '';
$valid = false;
if ($submitted == 'yes') {
    $username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['username']);
    $password = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['password']);
    if ($username == 'John' && $password == 'password') {
       $valid = true;
    } else {
       $errmsg = 'You must login to view logfile.txt';
    }
}

if ($valid) {
    //display text file
} else {
    //display sign-in form with $errmsg
}
?>
Last edited by Christopher on Wed Apr 19, 2006 3:01 pm, edited 1 time in total.
(#10850)
User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

Post by m0u53m4t »

I tweaked the script a bit to be

Code: Select all

<?php
$submitted = preg_replace('/[^a-zA-Z]/', '', $_POST('submitted')

$errmsg = '';
$valid = false;
if ($submitted == 'yes') {
    $username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['username');
    $password = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['password');
    if ($username == 'John' && $password == 'password') {
       $valid = true;
    } else {
       $errmsg = 'You must login to view logfile.txt';
    }
}

if ($valid) {
    //display text file
} else {
    //display sign-in form with $errmsg
}
?>
But im getting this error: Parse error: parse error, unexpected T_VARIABLE in /home/freehost/t35.com/j/u/juniorfiles/loginhandler.php on line 4
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I edited the PHP to add closing ']' to the $_POST vars.

Code: Select all

<?php
$submitted = preg_replace('/[^a-zA-Z]/', '', (isset($_POST['submitted']) ? $_POST['submitted'] : null));

$errmsg = '';
$valid = false;
if ($submitted == 'yes') {
    $username = preg_replace('/[^a-zA-Z0-9]/', '', (isset($_POST['username']) ? $_POST['username'] : null));
    $password = preg_replace('/[^a-zA-Z0-9]/', '', (isset($_POST['password']) ? $_POST['password'] : null));
    if ($username == 'John' && $password == 'password') {
       $valid = true;
    } else {
       $errmsg = 'You must login to view logfile.txt';
    }
}

if ($valid) {
?>
The text.
<?php
} else {
?>
<html>
    <span style="color:red"><?php echo $errmsg; ?></span>
   <form action="loginhandler.php" method="post">
      <input type="hidden" name="submitted" value="yes">
      <p><input type="text" name="username" size="24"></p>
      <p><input type="password" name="password" size="24"></p>
      <p><input type="submit"></p>
   </form>
</html> 
<?php
}
(#10850)
User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

Post by m0u53m4t »

Ive been talking to my friend and he made me a script and it works. Here it is:

Code: Select all

<?php  
$username = $_GET["username"]; 
$password = $_GET["password"]; 
 
if ($username == 'John' && $password == 'password') {  
   //display text file  
}  
else {  
  
   echo 'You must login to view logfile.txt';  
}  
?>
With the html:

Code: Select all

<html>
   <form action="loginhandler.php" method="get">
      <input type="text" name="username">
      <p><input type="password" name="password"></p>
      <p><input type="submit"></p>
   </form>
</html>
Now, this is my first idea on how to stop people accessing my file:
I make a file like this-

Code: Select all

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?google.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?google.com.*$ [NC]
RewriteRule \.(txt)$ - [F]
and saved it as .htaccess.txt , based on this script: http://lissaexplains.com/html6.shtml#direct , but it still doesn't seem to be working.
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Post by andym01480 »

You are using Apache as a server aren't you - htaccess doesn't work with windows servers!
.htaccess not .htaccess.txt

Also add

<Files .htaccess>
order allow,deny
deny from all
</Files>

which stops people looking at your .htaccess file to see what you are stopping them do!

Never used the Rewrite code, so couldn't tell if you that would work once .htaccess named right. Sorry!
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Forms should use the POST method unless there's a specific reason not to. Also bear in mind you must validate the username and password (or for simplicity amend it such as in aborint's example). Failing to do so, while not immediately a security threat is bad practice - it's not a habit you should fall into. aborint's example is far more robust IMO.
User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

Post by m0u53m4t »

Whenever i call something .htaccess or .logfile.txt they just dissapear :roll:
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

They don't really disappear. They are hidden, like any file that begins with a period.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Change your directory settings to view hidden files...;)
User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

Post by m0u53m4t »

Im using t35 hosting. I dont think I can do that. Any ideas how else I can do it?
Post Reply